1 / 41

Lesson 8: Network Security and Defending Against Attacks

Lesson 8: Network Security and Defending Against Attacks. Overview. Basic Security Tools A Real-world Example Computer Incident Taxonomy. Firewall: Application Proxy. Uses data from layers 3 and 4, and application layer

triveni-ishaan
Download Presentation

Lesson 8: Network Security and Defending Against Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 8: Network SecurityandDefending Against Attacks

  2. Overview • Basic Security Tools • A Real-world Example • Computer Incident Taxonomy

  3. Firewall: Application Proxy • Uses data from layers 3 and 4, and application layer • Filterson application-specific data, such as FTP’s put (upload) and get (download) commands • Providesfor more granular security policy implementation • Implements “proxies” on the firewall • Proxy represents an application • Proxies usually exist for ubiquitous applications • HTTP, FTP, streaming media protocols, etc. • If no proxy on firewall, security is reduced • Can implement servers on the firewall • Eliminates traffic into network for those applications • Consumes firewall resources • Creates and maintains two TCP connections per TCP session • Involves firewall in ACKs, window-sizing, throttling-rate, etc.

  4. Firewall TechnologiesStatic Packet Filtering • Compares data from layers 4 and 3 of packets against a set of pre-defined rules to permit or deny access through the firewall • Source IP address and port • Destination IP address and port • Filters on permissible connections • Packets can flow on permitted path without valid connection

  5. Firewall: Stateful Packet Inspection • Like static packet filtering, compares source and destination data from layers 3 and 4 against set of pre-defined rules • Also , interprets flag data from headers to determine state • SYN and ACK flags used in connection establishment • FIN, RST, ACK flags used in connection termination • Records existing connections in a state table • Inspects arriving packets to determine if a connection already exists between that client and server • Facilitates prventions of attacks in which unauthorized packets appear to be traversing an already-established connection when in fact, no connection exists

  6. Firewall Comparisons Performance Features • Stateful packet inspection occurs at lower level of protocol stack • Application proxies' extra per-packet processing time is magnified during periods of heavy short-packet traffic • Web applications generate large amounts of short packets • Application proxies generally have more processes (consuming more system resources) than stateful packet inspection because each proxy needs separate processes • Stateful packet inspection does not incur the added performance cost of filtering on application-level data • Application proxies create and maintain two TCP connections; stateful packet inspection responsible for zero TCP connections • Degrades both network and failover performance

  7. Firewall Comparisons Security Features • Application proxies filter application-level data • Greater flexibility in security policy implementation • Capability sparsely implemented in CITS architecture • Application-proxy firewalls have a limited number of proxies • If no proxy exists for an application, the firewall defaults to a less secure technology (e.g., static packet filtering) • Many applications have no proxy • Stateful packet inspection allows direct TCP connections between the client and server • All enterprise FWs offer Network Address Translation (NAT) • Hides internal IP addresses from outside entities • Hides internal network architecture from outside entities • Expands available number of IP addresses to the enterprise

  8. Client Server Address: A Address: B Internet Step 1: Step 2: Packet 1 Packet 2 (response) SYN=1, ACK=0 SYN=1, ACK=1 Source: A Source: B Destination: B Destination: A • Step 1- Client A creates “connection request” packet • Sets SYN flag to 1 and ACK flag to 0 • Sets source as itself and the server as the destination • Step 2- Server B creates “connection accept” packet • Sets SYN flag to 1 and ACK flag to 1 • Sets source as itself and client as the destination TCP Connection EstablishmentThree-way Handshake • Step 3- (not shown) Client responds with connection affirmation • SYN flag to 1, ACK flag to 1, data can be “piggybacked”

  9. Trusted Server Address: B Hacker Address: Z Trusted Server Address: A Static Packet Filtering Firewall Trusted Network Step 1: Packet 1 SYN= 1, ACK=0 Source: A (forged) Destination: B Step 2: Packet 2 SYN= 1, ACK=1 Source: B Destination: A Step 3: “Hmmm… Rules say to not allow packets from untrusted sources, and also don’t allow any connection establishments from outside …. but Packet 2 is a response from a trusted server to a connection request from Server A inside the firewall-- Proceed.” • Packets between Servers A and B are permitted, if Server A initiates the connection • Hacker creates an “establish TCP connection” packet, forges “source” so that it appears that packet originates from target inside trusted network, sends packet to Server B on Internet • Trusted Server B on Internet receives packet, mis-interprets it as a connection request from Server A, affirmatively responds to A • Firewall, not knowing that a connection does not currently exist between A and B, permits packet into trusted network Internet Internet NIPRNet NIPRNet Penetrating a Static Packet Filter Firewall

  10. Step 1: Packet 1 SYN= 1, ACK=0 Source: A (forged) Destination: B Internet Internet NIPRNet NIPRNet Stateful Packet Inspection Firewall Trusted Server Address: A Hacker Address: Z Trusted Server Address: B Stateful Packet Inspection Firewall Trusted Network Step 2: Packet 2 SYN= 1, ACK=1 Source: B Destination: A Step 3: “Hmmm… Rules say to not allow packets from untrusted sources, and also don’t allow any connection establishments from outside …. and deny packets if a connection does not exist. There’s no current connection-- Deny.” • Packets between Servers A & B permitted, if Server A initiates connection, and connection exists. • Hacker creates an “establish TCP connection” packet, forges “source” so that it appears that packet originates from target inside trusted network, sends packet to Server B on Internet • Trusted Server B on Internet receives packet, mis-interprets it as a connection request from Server A, affirmatively responds to A • Firewall, knowing that a connection does not currently exist between A and B, denies packet into trusted network

  11. Clients, Servers, Hackers Users and Servers on Trusted Network Web Directory Server Server / Internet "Intranet” Firewall Internet Firewall A DMZ

  12. IP Security (IPSEC) • A cryptographic mechanism for IP • Current IP version: IPv4 • Optional in IPv4, supported in IPv6. • Two major modes: • Tunnel: encrypts both the data and header portions of the packet. • Transport: encrypts the data portion of the packet. • Requires both ends to be using IPSEC (obviously, since one end will encrypt, the other needs to be able to decrypt).

  13. Virtual Private Networks • A Secure connection over a public network • Connect disjoint pieces of the same network • Connect mobile Users • VPNs provide security through cryptography • IPSEC • PPTP • VPNs are HOLES in Firewalls

  14. INTERNET IDS FW WEB Services FW Intranet IDS Company Clients Large CompanyEnterprise Overview

  15. Sample network and Security Internet Attack Internet

  16. PSTN A Better Picture of the network and the potential threats Back Door Attack Internet Attack Internet User Connected Modem

  17. PSTN Wireless And what else could possibly happen next? VoIP Back Door Attack Internet Attack Internet User Connected Modem

  18. Computer Security Incidents Taxonomy

  19. Need an accepted taxonomy because . . . • Provides a common frame of reference • If no taxonomy, then we: • Can’t develop common reporting criteria • Can’t develop processes and standardization • Ultimately-no IA “Common Language”

  20. Logically related columns B + = C A 1 1 1 Must be: 2 2 2 3 3 3 Categories 4 4 5 Must have these characteristics . . . Taxonomy Exhaustive Mutually exclusive Repeatable Unambiguous Accepted Useful

  21. Where to start? • The inability to share data because of non- • standard terminology is not a new problem • For this reason several computer security • taxonomies have already been developed • Most comprehensive study done by Sandia • Labs in conjunction with Carnegie Mellon • University • Currently in use at Carnegie Mellon’s • CERT/CC • Sandia Report: “A Common Language for Computer • Security Incidents”, John D. Howard and • Thomas A. Longstaff (October 1998)

  22. Incident Attack Event Unauthorized Result Attackers Tool Vulnerability Action Objectives Target Increased Access Challenge, Status, Thrills Physical Attack Hackers Probe Account Design Disclosure of Information Network Based Taxonomy Political Gain Information Exchange Scan Spies Process Implementation Corruption of Information Financial Gain User Command Configuration Flood Terrorists Data Script or Program Denial of Service Corporate Raiders Damage Authenticate Component Theft of Resources Autonomous Agent Professional Criminals Computer Bypass Spoof Toolkit Network Vandals Distributed Tool Voyeurs Internetwork Read Data Tap Copy Steal Modify Delete Sandia Labs Network Based Taxonomy

  23. Incident Intrusions Attacks Objectives Attackers Intruders Basic Model Tool Vulnerability Action Target Unauthorized Result Objectives Attackers

  24. Computer Network Incident Defended Network Intrusions • Increased access • Disclosure of info • Theft of resources • Corruption of info • Denial of Service Objectives • Status/Thrills • Political Gain • Financial Gain • Damage Computer Network “Incident” Intruders • Hackers • Terrorists • Other

  25. Intrusion Event Action Target Intrusion Taxonomy Tool Tool Vulnerability Vulnerability Action Action Target Target Unauthorized Result Unauthorized Result Intruders Objectives

  26. Intrusion SECURITY Connection • Vulnerabilities • Design • Implementation • Configuration Intruder Tools • Physical force • Info exchange • User command • Script/Program • Autonomous agent • Toolkit • Distributed tool • Data tap Defended Network • Thrills • Political Gain • Financial Gain • Damage Intrusion Jl;j;j jjl;j;lj jl;kllkj • Events • Action • Target • Unauthorized • Results • Increased access • Disclosure • Corrupt data • Denial of Service • Theft Objective

  27. Attempted Intrusion Intruder FIREWALL FIREWALL Connection Tools • Physical force • Info exchange • User command • Script/Program • Autonomous agent • Toolkit • Distributed tool • Data tap Defended Network Did have Intent • Thrills • Political Gain • Financial Gain • Damage Intrusion Jl;j;j jjl;j;lj jl;kllkj • Vulnerabilities • Design • Implementation • Configuration No Unauthorized Results Objective

  28. Intrusion Attack Taxonomy in practice . . . Event Sandia Labs Intruders Objectives Unauthorized Result Action Tool Vulnerability Target Design Increased Access Physical Force Probe Account Design Process Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Flood Configuration Data Denial of Service Script or Program Denial of Service Authenticate Component Bypass Theft of Resources Autonomous Agent Computer Bypass Toolkit Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete Intrusion taxonomy in practice . . . Corruption of Data Computer Network Intrusion

  29. Intrusion Attack Taxonomy in practice . . . Event Sandia Labs Intruders Objectives Unauthorized Result Action Tool Vulnerability Target Increased Access Physical Force Design Probe Account Design Disclosure of Information Information Exchange Process Scan Process Implementation Intrusion Corruption of Information User Command Flood Configuration Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Bypass Computer Bypass Tool Kit Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete Intrusion taxonomy in practice . . . Unauthorized Result Increased Access Authorized User Authorized User Insider Threat

  30. Taxonomy applied A CaseStudy

  31. Intrusion Event Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Design Account Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command User Command Configuration Flood Data Script or Program Denial of Service Authenticate Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Delete Attack Sandia Labs Intruders Objectives Increased Access Network Based Taxonomy Network Based Taxonomy Intrusion 1

  32. Tool Vulnerability Action Physical Force Root Access Design Probe Design Information Exchange Process Scan Implementation User Command User Command Configuration Flood Script or Program Authenticate Autonomous Agent Bypass Bypass Spoof Toolkit Distributed Tool Read Data Tap Copy Steal Intrusion 2 Modify Delete Intrusion 1 - Increased Acess Intruders Objectives Unauthorized Result Target Increased Access Account Disclosure of Information Process Corruption of Information Data Denial of Service Component Theft of Resources Computer Network Internetwork

  33. Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Design Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Data User Command Configuration Flood Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Steal Intrusion 3 Modify Delete Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives Root Access Disclosure of Information

  34. Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Configuration Flood Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Delete Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives

  35. Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Probe Account Design Disclosure of Information Information Exchange Process Implementation Scan Process Implementation Corruption of Information User Command Configuration Flood Data Script or Program Denial of Service Denial of Service Script or Program Authenticate Component Theft of Resources Autonomous Agent Theft of Resources Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Modify Delete Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives Disclosure of Information

  36. Tool Vulnerability Unauthorized Result Action Target New definition: “Intrusion Set” Multiple related intrusions = “Intrusion Set” Multiple Events Objective Intruder

  37. Need to know who? • Need to know why? ? Intruder AND OBJECTIVES Who? What? Why? • answer the what Intrusion Sets • Need more information to get to • attribution

  38. Objectives Intruders Attribution Who and Why? Intrusion Set Tool Vulnerability Action Target Unauthorized Result

  39. Not every event? Intrusion(s) Action Action Target Target Unauthorized Result Action Tool Vulnerability Target Increased Access Including intrusion data Disclosure of Information Corruption of Information Unauthorized Result Unauthorized Result Denial of Service Increased Access Theft of Resources Disclosure of Information Must report all unauthorized results (Actual or attempted) Corruption of Information Denial of Service Theft of Resources Objective reporting criteria Action Attackers Tool Vulnerability Target Objectives Intruders Challenge, Status, Thrills Physical Force Challenge, Status, Thrill Hackers Probe Hackers Account Design Political Gain Information Exchange Scan Group 1 Pol/Mil Gain Spies Process Spies Implementation Financial Gain User Command Flood Configuration Terrorists Data Terrorists Financial gain Script or Program Corporate Raiders Corporate Raiders Group 2 Damage Authenticate Component Damage Professional Criminals Autonomous Agent Professional Criminals Computer Bypass Group 3 Spoof Network Toolkit Vandals Vandals Distributed Tool Voyeurs Internetwork Voyeurs Read Group 4 Copy Data Tap Steal Modify Delete

  40. New Work • CERT- CC: AirCERT • Effort to collect nationwide incident data • US Military: Joint Task Force-CNO • FBI: Cyber Forensic Centers • Infraguard

  41. SUMMARY • Technology Improvements Arriving • Common Taxonomy Developed • Increased Data Sharing Ongoing • Prosecutions Increasing

More Related